ZAG Technical Services has been thinking a lot about client security lately. When we came across this blog about passwords, we knew we had to share it with all ZAG clients. It’s all too easy to think passwords are a nuisance—when really they’re essential to keeping your data and your business safe.
If you use the same password for multiple systems—online shopping, email, your company’s cloud bookkeeping solution, etc.—you’re not alone. Even Facebook founder Mark Zuckerburg did that. And in 2016 his LinkedIn credentials were compromised in a major breach. That gave hackers access to his Twitter account, too, because the passwords were the same.
The fact is, with just one user password, hackers can often break into multiple applications and systems. Your whole business can very quickly be put at risk. That’s why a good security practice is to have a different, strong password for every account. A breach will be isolated to that account, and the fallout will be much smaller and easier to manage.
Be extra protective of your sensitive accounts
When it comes to ultra-sensitive accounts like company servers or your banking apps, make extra sure the password you use isn’t one you’ve used anywhere else. Banks usually have strong security measures, but even those won’t protect you if someone tries a password you’ve used somewhere else and it works. The consequences could be disastrous.
Email is another big one to safeguard—work and personal. If someone gets into your email, the potential for damage goes up exponentially. They can send out phishing, ransomware, or other malicious attacks to any or all of your contacts, and they’ll seem legitimate because they’ve come directly from you.
Be unique and strong
Of course, in addition to being unique, your passwords have to be strong, too. At a minimum, that means making each one long. Pick one with at least eight characters, but the longer the better. If you can use phrases of multiple words instead of a single word, that’s even better still. (And for goodness’ sake, don’t use “password”.)
So why don’t more people use unique, strong passwords for every account? Usually, because they feel like it’s too much work. If you have dozens or hundreds of accounts, having a different password for each one might seem like a royal pain. And long, complex passwords are definitely hard if not impossible to remember. Fortunately, there are solutions to help manage passwords for you so your brain (or an insecure notebook or spreadsheet) doesn’t have to do all the work. Having the right tools is just as important as having the right practices in place.
Best practices for password security for your company
So what’s the best way to keep your passwords strong? Here are some tips:
1. Establish a company “password refresh” policy.
No matter how big or small your business is, make sure you have a policy for setting and refreshing passwords. For example, don’t allow people to use basic dictionary words. Don’t allow identical strings of characters from previous passwords. And make every password unique—i.e., not one that somebody’s used for a different system. Educate your team about good “password hygiene” and how weak changes or reusing passwords can put both your organization and your users’ personal accounts at risk.
2. Change your passwords regularly.
How often you should change your passwords depends on how critical a system is. Passwords for accounts with administrative privileges (ones that let users make system or account changes) should be updated more often than others because unauthorized access to admin accounts can be so much more devastating. We suggest changing them every 90 days. Passwords for less critical systems can go a little longer, but should still be changed every 180 days.
But be aware: those timeframes apply if you have a password management system that automatically generates strong passwords. If you’re relying on users to choose their own passwords, you should require more frequent changes.
That said, a password management system is a great idea. It will let you set expiry dates for passwords so users are prompted to change them before they can re-access a system.
Even with auto-expiries, tell your users they don’t have to—and in some cases, shouldn’t—wait for the scheduled expiry date to change their passwords. The fresher, the better!
3. Change passwords immediately if they’re shared or breached.
While the rule should be “don’t share passwords”, if you absolutely have to share one, change it as soon as the other user is done. Even if they’re well-meaning, they could have noted it somewhere visible or stored it in an unsecured location, leaving it vulnerable to malicious players. And of course, in cases of a known or suspected breach, change any affected passwords right away.
By following those three principles—set a policy, change passwords regularly, and change any password that’s shared or breached—you’ll go a long way toward keeping your information safe.
If you’d like to learn more about how to manage your passwords, let us know.